[Bug]: Passwordless API errors with a 500 if non-existent application Id provided

Open mooreds opened this issue 1 year ago • 0 comments

What happened?

When I ran a sample passwordless login script with an applicationId that did not exist, FusionAuth returned a 500.

API_KEY=VALID_SANDBOX_API_KEY
REQUEST_PAYLOAD='
{
  "applicationId": "10000000-0000-0002-0000-000000000001",
  "loginId": "[email protected]",
  "state": {
    "client_id": "10000000-0000-0002-0000-000000000001",
    "redirect_uri": "https://piedpiper.com/callback",
    "response_type": "code",
    "scope": "openid",
    "state": "CSRF123"
  }
}
'
curl  -v -H "Content-type: application/json" -H "Authorization: $API_KEY" https://sandbox.fusionauth.io/api/passwordless/start -d "$REQUEST_PAYLOAD"

Here's an excerpt of the curl response:

* [HTTP/2] [1] [content-length: 303]
> POST /api/passwordless/start HTTP/2
> Host: sandbox.fusionauth.io
> User-Agent: curl/8.6.0
> Accept: */*
> Content-type: application/json
> Authorization: 90d8fb62-6f13-47d4-8ef6-1c3e687883c6
> Content-Length: 303
> 
< HTTP/2 500 
< date: Tue, 23 Jul 2024 22:44:07 GMT
< content-type: application/json; charset=UTF-8
< cache-control: no-store

Here's the output from the system log file:

2024-07-23 10:44:07.266 PM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
io.fusionauth.app.primeframework.exceptions.FusionAuthMissingFormatArgumentException: Failed to format message [[invalid]applicationId]. Cause: Format specifier '%s'
	at io.fusionauth.app.service.FrontEndSupport.addFieldError(FrontEndSupport.java:214)
	at io.fusionauth.app.service.FrontEndSupport.lambda$transfer$1(FrontEndSupport.java:686)
	at java.base/java.lang.Iterable.forEach(Iterable.java:75)
	at io.fusionauth.app.service.FrontEndSupport.lambda$transfer$2(FrontEndSupport.java:686)
	at java.base/java.util.LinkedHashMap.forEach(LinkedHashMap.java:721)
	at io.fusionauth.app.service.FrontEndSupport.transfer(FrontEndSupport.java:686)
	at io.fusionauth.app.action.api.passwordless.StartAction.validate(StartAction.java:57)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.primeframework.mvc.util.ReflectionUtils.invoke(ReflectionUtils.java:443)
	at org.primeframework.mvc.validation.DefaultValidationProcessor.validate(DefaultValidationProcessor.java:77)
	at org.primeframework.mvc.validation.DefaultValidationWorkflow.perform(DefaultValidationWorkflow.java:44)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.security.DefaultSecurityWorkflow.perform(DefaultSecurityWorkflow.java:79)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.parameter.DefaultPostParameterWorkflow.perform(DefaultPostParameterWorkflow.java:49)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.content.DefaultContentWorkflow.perform(DefaultContentWorkflow.java:74)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.parameter.DefaultParameterWorkflow.perform(DefaultParameterWorkflow.java:58)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.parameter.DefaultURIParameterWorkflow.perform(DefaultURIParameterWorkflow.java:92)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.scope.DefaultScopeRetrievalWorkflow.perform(DefaultScopeRetrievalWorkflow.java:50)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:119)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:65)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.cors.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:65)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:108)
	at org.primeframework.mvc.PrimeMVCRequestHandler.handle(PrimeMVCRequestHandler.java:73)
	at io.fusionauth.http.server.HTTPWorker.run(HTTPWorker.java:50)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.util.MissingFormatArgumentException: Format specifier '%s'
	at java.base/java.util.Formatter.format(Formatter.java:2688)
	at org.primeframework.mvc.message.l10n.ResourceBundleMessageProvider.getOptionalMessage(ResourceBundleMessageProvider.java:103)
	at org.primeframework.mvc.message.l10n.ResourceBundleMessageProvider.getMessage(ResourceBundleMessageProvider.java:76)
	at io.fusionauth.app.service.FrontEndSupport.addFieldError(FrontEndSupport.java:211)
	... 40 common frames omitted

If I tried the same message with a valid application but with passwordless functionality disabled, I get a 400, which is expected.

Version

1.51.2

Affects Versions

No response

Jul 23 '24 22:07 mooreds